Amazon Server Misconfiguration and IT Error Expose Hundreds of Millions of Users’ Data

In the wake of the devastating WannaCryand NotPetya ransom-ware attacks, it was hard to imagine anymore negligence in the IT world. But, just a few short weeks later, security researchers found misconfigured servers and bad defaults, coupled with simple IT errors that exposed hundreds of millions of users’ personal information. Where did they find this information? Amazon. Yes, Amazon – the web service known for securely
loading, storing, and moving large amounts of data.

A Bit of Background

Amazon S3, part of Amazon Web Services (AWS), provides utility storage for a variety of web apps. S3 is cost effective, globally available, massively scaled and has essentially transformed the storage industry. S3’s architecture allows users and applications to access data in a seamless and efficient manner. To use S3, you define “buckets” where you want to store data and each bucket gets its own URL. When a bucket is created, the default sharing permissions are set to private, meaning only the account owner that created the bucket can access it. But data is meant to be shared, so Amazon lets the user extend access to others by defining identity and access management policies.

There are different levels at which permissions can be set, providing flexibility to users. This seems beneficial but many users are not configuring permissions to their buckets correctly, leading to misconfiguration insecurity. The method for managing bucket permissions is not as intuitive as it could be but reading them would have probably helped. Within the Web Services console, the only other sharing option available is “Public,” an option that Amazon tags as “Not Recommended”.

Why is this so bad?

Some of the world’s largest companies are experiencing massive data breaches:

Breaches of this size, with buckets holding a large collection of sensitive information, can be catastrophic.

Who is to blame?

Both user error and Amazon share blame for the series of cloud data leaks. Imagine leaving your house and not locking the front door. Sure, a burglar holds some of the blame if you get robbed, but perhaps you should have taken a little more care in securing the house. IT administrators need to take more precaution when setting permissions to ensure that systems and data are appropriately protected. Reviewing bucket permissions before setting the permissions would be a step in the right direction.

Due to the number of careless mistakes, though, Amazon has to accept some of the blame. They have followed up with a security alert to warn users and encourage them to review bucket permissions. It does raise awareness, but doesn’t solve Amazon’s weak configurations. It also won’t prevent IT admin from taking a shortcut or an outsider from discovering vulnerabilities.

Corporate Awareness Required

The possibility of an outsider uncovering company data should be the most important thing on IT’s mind. Defining checks and balances, identifying weaknesses and running vulnerability scans are best practices. They should be performed before and after a service is published or configuration is made. If you don’t have confidence in your IT department or provider to implement best practices, then you need to start giving marching orders.

These breaches will be topped in the future if the mindset of cyber resiliency across all platforms doesn’t become standard.

Learn about other security issues affecting businesses to help raise awareness:

Based in Cary, North Carolina, Technology Associates is a full service technology consulting firm specializing in providing Managed IT Services for small to medium sized businesses (20 - 200 employees) throughout the Raleigh-Durham, Greensboro and Charlotte areas.

Managed IT Services is the core of what we do but using a unique approach developed over the past 20 years. We have a different perspective on IT costs and results which directly impact how we interact with our customers.

IT Support forms the foundation but it is much more than just picking up the phone when you have issues. ALL IT companies will do that. It is the specific processes and procedures we use to deliver our IT Services that set us apart.

If you have a business in Raleigh/Durham, Greensboro or Charlotte with 15 or more employees, we would love the opportunity to speak with you but chances are, you aren’t ready to make a change in your IT Vendor overnight.

So how about we just stay in touch until you are ready to learn more?

We publish a regular email newsletter packed full of helpful information. Just enter your informaiton below and we will ad you to the list – we promise not to share your information with anyone and you can unsubscribe at any time.